Promoting the Information Society: The EU Directive on Electronic Commerce

On 8 June 2000, the EU adopted the landmark 'electronic commerce' directive, a legal framework for the development of information society services. This article examines the rationale and evolution of EU policy for e-commerce and the key features of the directive. These include establishing the responsibilities of service and intermediary service providers, procedures for concluding on-line contracts and redress and enforcement mechanisms. It also explores the extent to which the directive clarifies the national law applicable to cross-frontier transactions and the relationship between the directive and private international law. The directive makes an important contribution to encouraging trust in the new technologies by establishing an EU-wide model for e-commerce, but it is by no means clear that it goes far enough. The continuing divergence of consumer protection policies and uncertainties about jurisdiction, securing redress, the liabilities of service providers and the status of contracts based upon web-site advertisements may continue to discourage the development of e-commerce in the Community.     

Taking a sledgehammer to crack the nut: The EU Enforcement Directive

In April 2004 the EU passed the Directive on Enforcement of Intellectual Property Rights amidst charges of “conflicting interest” and heavy-handed influence of the American entertainment industry. The Directive has received widespread condemnation from various sectors of the society for supporting private interest at the expense of public interest through the impositions of Mareva injunctions and Anton Piller Orders, even in instances of accidental and non-commercial infringements of the intellectual property right [Meller P. EU backs deal on copyright piracy. International Herald Tribune, NY; 2004]. This paper will examine the provisions of the Directive and determine its implications, in particular, as to whether they balance or not the rights of the right holders and public interest.     

The Power of EU Collective Action: The Impact of EU Data Privacy Regulation on US Business Practice

Contemporary critiques of globalisation processes often focus on the potential levelling of regulatory standards and the export by the United States of neoliberal norms of deregulation and market facilitation. This paper, in contrast, examines the extra-jurisdictional impact of EU regulatory policy on the behaviour of foreign private parties, even in powerful states such as the United States. Shaffer finds that the threat of curtailing access to the EU's large market provides the EU with leverage. By acting collectively, EU Member States can magnify the impact of European policy on US business practice and enhance EU Member State clout in the negotiation of de jure and de facto foreign standards. The site of analysis is the current dispute between the United States and the European Union over the provision of 'adequate' data privacy protection in accordance with the EU Directive on data privacy. The paper explores the many ways in which the Directive affects US practice through changing the stakes of US players – including regulators, businesses, privacy advocates, lawyers and privacy service providers – and thereby shifting the playing field in the United States on which competing interest groups clash. In examining the interaction of EU law, US practice and international trade rules, the author finds that WTO law, rather than constraining the Directive's extra-jurisdictional impact, provides the EU with a shield against US retaliatory threats, thereby facilitating a trading up of data privacy standards. The paper concludes by examining the conditions under which cross-border exchange can lead to a leveraging up of social protections: the desire for firms to expand their markets, Member States' collective bargaining power buttressed by market clout, the nature of luxury goods, the externalities of foreign under-regulation legitimising EU intervention, and the constraints of supranational trade rules.     

Reconsidering the Premises of Labour Law: Prolegomena to an EU Regulation on the Protection of Employees' Personal Data

With its 1985 Directive on Data Protection, the European Union highlighted its commitment to the constitutionalisation of European law and, in particular, underlined its vision of the individual European as a rights-bearing individual; empowered through 'knowledge' and thus advantaged in communicative processes of political/social/legal bargaining. As such, the move to a data protection regime founded upon notions of individual empowerment, also mirrors a recent and fundamental re‐alignment in the guiding principles of regulative labour law, which has seen the paradigm of 'collective laissez‐faire' challenged, if not superseded, by a redirected emphasis upon the communicative empowerment of the individual employee rather than the representative function of employees' representatives. Accordingly, it is less than surprising that the field of labour law has seen increasing demands placed upon the Commission to fulfil its promise in the pre-amble to the 1985 Directive, and promulgate Regulations crafted to ensure data protection in line with the specific demands of individual societal sectors. This paper is a policy statement. It re-iterates the need for a Regulation on the protection of employees' data. Building on the comparative experience of the Member States, it outlines the nature, provisions and scope which such a regulation should entail so as to reflect, both the reality of the modern employment relationship, and a new normative vision of the workplace which aims to inject such relationships with a measure of communicative participation.     

The Transfer of Personal Data to Third Countries Under EU Directive 95/46/EC

The 1981 Council of Europe Convention 108 and EU Directive 95/46/ EC assert that data protection is privacy protection. Consequently, countries with data protection rules control trans-border data flows to protect the rights of their citizens. Under the Directive, but subject to some derogations, personal data may only be transferred to third countries with adequate protection. 'Adequacy' is to be assessed in the light of all the circumstances. Alternative safeguards can be provided by means such as contractual arrangements. The Data Protection Commissioners have tried to define 'adequacy' as the usual data protection principles plus an assurance of compliance. This can be delivered by self-regulation as well as formal law. The Directive has not made a radical break with the past. The usual principles are those found in Convention 108 and in the 1980 OECD Guidelines. Those instruments also dealt with the control of trans-border data flows because of fears of restrictions on the free flow of information. The flexibility of the effective current UK law, which permits flows whilst preventing those which would lead to a breach of data protection, would have prevented the acrimony of the current debate with third countries. National laws on transborder data flows long pre-date the Directive and data protection authorities can be expected to continue to promote pragmatic methods of protecting exported data such as the use of model contracts either as a basis for derogation from 'adequacy' or as part of a package to satisfy the adequacy test. Work is taking place to build bridges between those with formal law and others relying on self-regulation. In Ottawa last October OECD ministers reaffirmed the 1980 Guidelines and if practical privacy protection can be secured globally, transborder data-flow control is of much less concern.     

The implementation of the EU Prospectus Directive - a country-by-country analysis

Dr. Axel Gehringer HengelerMueller David Byers McCann FitzGerald, Solicitors, Dublin, Ireland Stefano Cuccia Head of Regulation, TLX, Milan Henri Wagner Allen and Overy, Luxembourg Petra Zijp NautaDutilh, Amsterdam José Manuel Cuenca and Yolanda Azanza Clifford Chance Daniel Bushner and Jonathan Parry Ashurst, London The first 150 words of the full text of this article appear below.

Contract Governance in the EU: Conceptualising the Relationship between Investor Protection Regulation and Private Law

The instrumental use of private law, in particular contract law, by the EU raises a complex issue concerning the relationship between contract‐related regulation and traditional private law and underlines the need for conceptualising the interplay between the two from the contract governance perspective. The present article aims to apply this new analytical approach in the investment services field where there is considerable tension between the EU investor protection regulation embodied in the Markets in Financial Instruments Directive (MiFID I and MiFID II) and national private laws. The article explores various models of relationship between investor protection regulation and traditional private law within a multi‐level EU legal order, considering the strengths and weaknesses of each field in pursuing public and private interests involved in financial contracting. This analysis also offers some lessons for the broader narrative of how European integration in regulated areas dominated by public supervision and enforcement could proceed.     

The Cyprus and other EU court rulings on data retention: The Directive as a privacy bomb

This paper discusses the controversy surrounding the Data Retention Directive with an emphasis on the 2011 decision of the Cyprus Supreme Court which has annulled several district court orders that allowed the police access to telecommunications data relating to certain persons relevant to criminal investigations. The annulment has been on the ground that the legal provisions upon which the orders have been issued are unconstitutional. It will suggest that the decision does not entail a direct rejection of the EU Data Retention Directive and that in any event, Cyprus is not a Member State resisting the particular measure. This is because the legal provisions are deemed unconstitutional, though part of the law that has transposed the relevant Directive into national law are provisions that go beyond what the EU legislator intended to regulate through that Directive. Still, the particular Directive sits rather uneasily within the ‘human rights’ regime, in particular the one governing the individual right of privacy.     

最新欧盟消费者权益指令的解读与借鉴

2011年10月25日,欧盟颁布了编号为2011/83/EU的消费者权益保护的最新指令。该指令主要规定了经营者向消费者提供信息的义务,以及消费者撤销合同的权利,这些规定反映了欧盟消费者权益保护法上的信息透明、利益均衡和私权救济的立法精神。我国《消费者权益保护法》制定于1993年,到如今我国社会经济生活发生了很大变化,很多内容已经不能满足今天的消费者权益保护之需。欧盟最新的消费者权益保护指令对完善我国《消费者权益保护法》具有很好的借鉴意义。     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

The new German Data Protection Act and its compatibility with the European Data Protection Directive

A substitution of the right to maintain mailing lists for marketing purposes (the so-called list privilege) by a strict opt-in requirement as proposed by the German Government for the amendment of the German Data Protection Act does not conform with European law. Making the use of relatively innocuous data like name and address for marketing purposes subject to the data subject's declaration of consent infringes upon the requirements of the European Data Protection Directive. The Directive allows for the use of personal data either on the basis of a data subject's declaration of consent or after a balancing of legally protected interests. Reducing this two-track model to a one-track model (based on the data subject's declaration of consent only) does not do justice to the idea of balancing of interests or free movement of goods and services which are a mandatory part of European law. The draft bill interferes drastically with the free movement of goods and services. A tightening of the opt-in requirements would be a severe burden for the German economy because it is impossible for businesses to distribute their goods and services without the help of marketing measures. The economic cycle would be hit at its weakest point, i.e. the link between businesses and consumers which is gaining more and more importance especially with a view to cross-border competition.     

The EU Proposal for a General Data Protection Regulation and the roots of the ‘right to be forgotten’

The EU Proposal for a General Data Protection Regulation has caused a wide debate between lawyers and legal scholars and many opinions have been voiced on the issue of the right to be forgotten. In order to analyse the relevance of the new rule provided by Article 17 of the Proposal, this paper considers the original idea of the right to be forgotten, pre-existing in both European and U.S. legal frameworks. This article focuses on the new provisions of Article 17 of the EU Proposal for a General Data Protection Regulation and evaluates its effects on court decisions. The author assumes that the new provisions do not seem to represent a revolutionary change to the existing rules with regard to the right granted to the individual, but instead have an impact on the extension of the protection of the information disseminated on-line.     

超越私权属性的个人信息共享——基于《欧盟一般数据保护条例》正当利益条款的分析

在获取、处理、使用和转移个人信息的过程中,各方主体之间存在信息权益冲突,迫切需要规范层面提供协调机制。关于信息权益的主体划分和保护层级、信息正当利益的法律内涵、各方主体利用信息的范围和界限等问题,学界尚未提出明确的解决思路。为推动社会治理和产业经济的数字化进程,个人对信息的绝对控制需要让位于信息正当利益的维护和实现。《欧盟一般数据保护条例》规定在某些情形下应该优先保护信息的正当利益,体现出欧盟调节各方信息权益时的权衡和取舍。借鉴《欧盟一般数据保护条例》的规制路径并结合我国的现实问题,我国立法应构建信息主体、其他自然人、国家机关、企业四方主体共享的个人信息权益体系,以妥善解决各方主体之间的权益冲突。     

The Data Protection (Amendment) Act, 2003: the Data Protection Directive and its implications for medical research in Ireland

Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data has been transposed into national law and is now the Data Protection (Amendment) Act, 2003. The Directive and the transposing Act provide for new obligations to those processing data. The new obligation of primary concern is the necessity to obtain consent prior to the processing of data (Article 7, Directive 95/46/EC). This has caused much concern especially in relation to 'secondary data' or 'archived data'. There exist, what seem to be in the minds of the medical research community, two competing interests: (i) that of the need to obtain consent prior to processing data and (ii) the need to protect and foster medical research. At the same time as the introduction of the Act, other prior legislation, i.e. the Freedom of Information Act, 1997-2003, has encouraged candour within the doctor-patient relationship and the High Court in Ireland, in the case of Geoghegan v. Harris, has promulgated the 'reasonable-patient test' as being the correct law in relation to the disclosure of risks to patients. The court stated that doctors have a duty to disclose all material risks to patients. The case demonstrates an example of a move toward a more open medical relationship. An example of this rationale was also recently seen in the United Kingdom in the House of Lords decision in Chester v. Afshar. Within the medical research community in Ireland, the need to respect the autonomy of patients and research participants by providing information to such parties has also been observed (Sheikh A. A., 2000 and Irish Council for Bioethics, 2005). Disquiet has been expressed in Ireland and other jurisdictions by the medical research communities in relation to the exact working and meaning of the Directive and therefore the transposing Acts (Strobl et al). This may be due to the fact that, as observed by Beyleveld "The Directive makes no specific mention of medical research and, consequently, it contains no provisions for medical research as an explicitly delineated category." (Beyleveld D., 2004) This paper examines the Irish Act and discusses whether the concerns expressed are well-founded and if the Act is open to interpretation such that it would not hamper medical research and public health work.     

The General Data Protection Regulation and the rise of certification as a regulatory instrument

The endorsement of certification in Article 42 and 43 of the General Data Protection Regulation (hereinafter GDPR) extends the scope of this procedure to the enforcement of fundamental rights. The GDPR also leverages the high flexibility of this procedure to make of certification something else than a voluntary process attesting the conformity with technical standards. This paper argues that the GDPR turned certification into a new regulatory instrument in data protection, I suggest to call it monitored self-regulation, seeking to fill the gap between self-regulation and traditional regulation in order to build a regulation continuum.     

Understanding the notion of risk in the General Data Protection Regulation

The goal of this contribution is to understand the notion of risk as it is enshrined in the General Data Protection Regulation (GDPR), with a particular on Art. 35 providing for the obligation to carry out data protection impact assessments (DPIAs), the first risk management tool to be enshrined in EU data protection law, and which therefore contains a number of key elements in order to grasp the notion. The adoption of this risk-based approach has not come without a number of debates and controversies, notably on the scope and meaning of the risk-based approach. Yet, what has remained up to date out of the debate is the very notion of risk itself, which underpins the whole risk-based approach. The contribution uses the notions of risk and risk analysis as tools for describing and understanding risk in the GDPR. One of the main findings is that the GDPR risk is about “compliance risk” (i.e., the lower the compliance the higher the consequences upon the data subjects' rights). This stance is in direct contradiction with a number of positions arguing for a strict separation between compliance and risk issues. This contribution sees instead issues of compliance and risk to the data subjects rights and freedoms as deeply interconnected. The conclusion will use these discussions as a basis to address the long-standing debate on the differences between privacy impact assessments (PIAs) and DPIAs. They will also warn against the fact that ultimately the way risk is defined in the GDPR is somewhat irrelevant: what matters most is the methodology used and the type of risk at work therein.     

Disclosure practices under the EU Prospectus Directive and the role of CESR

The first 150 words of the full text of this article appear below. Key points

• In February 2005, CESR issued its Recommendationsfor the consistent implementation of the Prospectus Regulation.
• SinceJuly 2006, CESR has begun to develop a line of clarificationson disclosure practices under the Prospectus Directive and theProspectus Regulation in the form of common positions basedon Frequently Asked Questions (FAQs).
• This article first analysesthe question to which extent CESR's Recommendations and commonpositions have binding effect, in the sense that individualnational securities regulators are under some form of obligationto apply these.
• Subsequently, the article discusses a selectionof CESR's common positions on FAQs which are of material importancefor day-to-day disclosure practice.